Discover how mastering email communication can boost business efficiency, avoid common pitfalls, and ensure secure, respectful online interactions.
Turkey Revenge
The turkeys are pissed this Thanksgiving they are seeking revenge.
Germs Infest 60% of Americas Phones
60% of Americans sleep with their phones, harboring germs. Cleaning regularly with UV sanitizer or alcohol wipes can help keep your phone and bed germ-free.
Smartphone Sanitizing: A Practical Guide
Securely erase personal data from your old smartphone before recycling. Protect your identity from hackers—easy steps to follow.
Why Soft Skills Matter in Today’s Job Market
Boost your career with essential soft skills like communication, teamwork, and emotional intelligence. Learn why they’re crucial for workplace success.
Should I Care About 768k Day?
If you are of a certain age, you remember Y2K. While I was not rewriting COBOL programs, I played my part. I spent the last half of 1999 scheduling after-hours downtime to update Compaq 1900 and 2500 servers with BIOS updates on a floppy disk. Hoping and praying the servers would come back up after the floppy disk stopped grinding. As I recall only two Compaq Proliant 2500‘s failed the BIOS upgrade and only one was DOA.
All the fun of Y2K was because memory space was too small to accommodate the fancy new year 2000 without thinking it was 1900. Now a similar memory size problem could cause internet disruptions very soon. The problem is called 768k Day.
768k Day is when the size of the global BGP routing table is expected to exceed 768,000 entries. at TechRadar explains that on August 12, 2014, a similar problem, occurred after Verizon (VZ) advertised 15,000 new BGP routes to the internet. Verizon’s actions caused the global BGP routing table, a file that holds the IPv4 addresses of all known internet-connected networks, to exceed 512,000 causing the 512K Day crisis.
The TechRadar article explains that in 2014, ISPs and others had configured the size of the memory for their router TCAMs (ternary content-addressable memory) for a limit of 512K route entries and some older routers suffered memory overflows which led their CPUs to crash. These crashes created significant packet loss and traffic outages across the internet with even large provider networks being affected. ZDNet says companies like Microsoft, eBay, BT, Comcast, AT&T, Sprint, and Verizon, were all impacted by 512K day
Engineers and network administrators rushed to apply emergency firmware patches to set a new upper limit which in many cases was 768k entries. The seeds of the 2019 768k crisis were sown.
Mr. speculates that in 2019 most of the large providers who felt 513K day’s impact have likely updated and maintained their infrastructures reasonably well which could lead to fewer outages. He says that there are still ‘soft spots’ smaller ISPs, data centers, and other providers who are part of the Internet’s fabric where maintenance on legacy routers and network equipment can be neglected or missed more easily.
These are the places that most likely see some issues or outages due to 768k Day. These outages will create significant packet loss and traffic outages that could have a ripple effect and sweep upstream and affect larger provider networks. network intelligence firm ThousandEyes writes, “Given the sheer size and unregulated nature of the Internet, it’s fair to say that things will be missed.”
rb-
To prepare for any potential disruptions, it is a good idea to perform some preventative maintenance on any routers that receive full internet routes. Jim Troutman, Director at the Northern New England Neutral Internet Exchange (NNENIX) told ZDNet,
The 768k IPv4 route limit is only a problem if you are taking ALL routes. If you discard or don’t accept /24 routes, that eliminates half the total BGP table size.
There is still a little time left before 768K day, at 2019-06-21 16:00 UTC 06/21/2019 the Regional Internet Registry for Europe, the Middle East, and parts of Central Asia (RIPE) reports that 86.9% of the IPv4 BGP tables they monitor are below 768K. Click here for current results
What is the big deal? Network intelligence firm ThousandEyes points out that there are many outage events that happen every day, especially on the fringes of the Internet. The number of garden variety outages could get amplified because of 768k day-related issues over the next few weeks.
Aaron A. Glenn, a networking engineer with AAGICo Berlin told ZDNet,
The Cisco 6500/7600 product line was extremely popular for an exceptionally long time in many, many places,” so don’t be surprised if some networks go offline because they forgot about 768k Day and didn’t prepare.
Related articles
- Target Suffers Pair of Outages and It’s a Reminder We’re All Just 1 Technology Fail Away From Chaos (Inc.)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
Is Yuzo on Your WordPress site?
I am still busy unpacking and re-arranging the furniture at the new home of Bach Seat. One of the nicer things about my new host is that I can now get WordPress alerts. And I have been getting a ton of alerts from the firewall that it blocked “yuzo-related” attack attempts. So I decided to see WTF “yuzo-related” attack attempts were about and found an excellent explanation on the WordFence site.
60,000 WordPress websites
Dan Moen at WordFence explains that the Yuzo Related Posts (YRP) plugin for WordPress has an unpatched vulnerability that was publicly disclosed by a security researcher on March 30, 2019. The flaw which allows stored cross-site scripting (XSS), is now being exploited in the wild. The buggy plugin is installed on over 60,000 websites and has been removed from the WordPress.org plugin directory.
WordFence recommends that all users remove the plugin from their sites immediately.
The blog’s author writes that the vulnerability in YRP stems from missing authentication checks in the plugin routines responsible for storing settings in the database. The code below is the crux of the problem. There is more in-depth coding tech-talk at WordFence.
8 }elseif( is_admin() ){ // only admin
He says developers often mistakenly use is_admin() to check if a piece of code that requires administrative privileges should be run, but as the WordPress documentation points out, that isn’t how the function should be used.
Injects malicious JavaScript
The result is that an unauthenticated attacker can inject malicious content, such as a JavaScript payload, into the plugin settings. That payload is then inserted into HTML templates and executed by the web browser when users visit the compromised website. This security issue could be used to deface websites, redirect visitors to unsafe websites, or compromise WordPress administrator accounts, among other things.
As evidenced by the number of probes against my site, threat actors have begun exploiting sites with YRP installed. The exploits in the wild inject malicious JavaScript. When a visitor lands on a compromised website containing the malicious payload, they will be redirected to malicious tech support scam pages – like this example:
The WordFence analysis shows that the attempts to exploit this vulnerability in YRP share a number of commonalities with attacks on two other vulnerabilities discovered in other plugins: Social Warfare and Easy WP SMTP.
The security researchers found all three campaigns so far have used these exploits:
- A malicious script hosted on hellofromhony[.]org, which resolves to 176.123.9[.]53.
- Involved exploitation of stored XSS injection vulnerabilities and have deployed malicious redirects.
WordFence is confident that the tactics, techniques and procedures in all three attacks point to a common threat actor.
WordFence recommends WordPress Site owners running the Yuzo Related Posts remove it from their sites immediately, at least until a fix has been published by the author.
rb-
What to do?
-
Keep your WordPress and plugins up to date.- Do you really need Yuzo Related Posts? Here is a list of alternatives from WordPress.
- Make sure you have good backups of your WordPress site – and you can restore it.
- Get a firewall on your WordPress site
- Block the IP 176.123.9[.]53. From your site.
- Harden your WordPress site.
Related articles
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
Category: Uncategorized |
Tags: 2019, administrative privileges, JavaScript, Malware, Security, Social engineering, Wordpress, XSS, Yuzo
Password Reset Practices “Obsolete”
Followers of the Bach Seat know that passwords suck. And now Microsoft (MSFT) has joined me in that revelation. The boys in Redmond recently recommended that organizations no longer force employees to change their password every 60 days.
In a TechNet blog penned by Aaron Margosis, a principal consultant for Microsoft, the company called the practice – once a cornerstone of enterprise identity management – “ancient and obsolete” as it told IT, administrators, that other approaches are much more effective in keeping users safe.
Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value
In the latest security configuration baseline for Windows 10, which allows administrators to use Microsoft-recommended GPO baselines for improving the overall security posture of a system and reduce a Windows 10 machine’s attack surface, “May 2019 Update” (1903) – (available as a ZIP file for download here) Microsoft dropped the idea that passwords should be frequently changed. Previous baselines had advised enterprises to mandate a password change every 60 days. (And that was down from an earlier 90 days.)
Mr. Margosis acknowledged that policies to automatically expire passwords – and other group policies that set security standards – are often misguided. He wrote,
The small set of ancient password policies enforceable through Windows’ security templates is not and cannot be a complete security strategy for user credential management … Better practices, however, cannot be expressed by a set value in a group policy and coded into a template.
Among those other, better practices, Mr. Margosis mentioned multi-factor authentication – also known as two-factor authentication – and banning weak, vulnerable, easily guessed, or frequently revealed passwords.
ComputerWorld points out that Microsoft is not the first to doubt the convention. The National Institute of Standards and Technology (NIST) made similar arguments as it downgraded regular password replacement. “Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically),” NIST said in a FAQ that accompanied the June 2017 version of SP 800-63, “Digital Identity Guidelines,” using the term “memorized secrets” in place of “passwords.”
Then, the institute had explained why mandated password changes were a bad idea this way:
Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password.
Both the NIST and Microsoft urged organizations to require password resets when there is evidence that the passwords had been stolen or otherwise compromised. And if they haven’t been touched? “If a password is never stolen, there’s no need to expire it,” Microsoft’s Margosis said.
John Pescatore, the director of emerging security trends at the SANS Institute told ComputerWorld;
I agree 100% with Microsoft’s logic for enterprises, which are who uses [group policies] anyway … Forcing every employee to change passwords at some arbitrary period almost invariably causes more vulnerabilities to appear in the password reset process (because there are now frequent spikes of users forgetting their passwords) which increases risk more than the forced password reset ever decreases it.
Like Microsoft and NIST, SAN’s Pescatore thought periodic password resets are the hobgoblins of little minds, “Having [this] as part of the baseline makes it easier for security teams to claim compliance because auditors are happy,” Pescatore told ComputerWorld. “Focusing on password reset compliance was a huge part of all the money wasted on Sarbanes-Oxley audits 15 years ago. A great example of how compliance does not equal security.”
ComputerWorld notes other changes in the Windows 10 1903 draft baseline, Microsoft also dropped policies for the BitLocker drive encryption method and its cipher strength. The prior recommendation was to use the strongest available BitLocker encryption, but that, Microsoft said, was overkill: (“Our crypto experts tell us that there is no known danger of [128-bit encryption] being broken in the foreseeable future,” MSFT’s Margosis told ComputerWorld.) And it could easily degrade device performance.
Microsoft is also looking for feedback on a proposed change that would drop the forced disabling of Windows’ built-in Guest and Administrator accounts. Microsoft’s Margosis hedged a bit;
Removing these settings from the baseline would not mean that we recommend that these accounts be enabled, nor would removing these settings mean that the accounts will be enabled,”Removing the settings from the baselines would simply mean that administrators could now choose to enable these accounts as needed.
rb-
We have covered this before, forcing users to change passwords over short time-frames inevitably leads to users choosing the simplest, most memorable, and most crackable passwords possible. Things have changed over the years, including technology that now enables threat actors to crack simplistic passwords easily.
MSFT is now actively pushing MFA in the enterprise so it is not surprising they are going away from this general password policy.
MSFT changing its security baselines won’t change requirements made by regulatory authorities (PCI-DSS, HIPAA, SOX, NERC) and auditors. It takes years and years for them to change.
The change does not affect home users – but maybe it will make them think?
Slowly the world of passwords is starting to come under control.
Related articles
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
What is 5G ?
Updated 07/16/2019 – Qualcomm released the Snapdragon 855 Plus. It features a Kryo 486 CPU Prime core with a clock speed of 2.96 GHz and a 15% faster Adreno 640 GPU. Qualcomm claimed in a presser, the 855 Plus would deliver better coverage and all-day battery life in 5G devices.
—
AT&T (T), Verizon (VZ), Sprint (S), and other carriers are hyping 5G. But what exactly is 5G? If you believe the hype, it is the greatest thing since sliced bread. 5G will improve our homes, make our cities safer, our machines smarter, our cars driverless, our entertainment mobile and our phones faster. So what is the tech behind the hype?
When 5G really gets here will bring three improvements to current wireless: greater speed, lower latency, and more connections. The real advantages of 5G will come in massive capacity and lower latency. The standards bodies involved are aiming at 20Gbps speeds and 1ms latency.
Work on 5G started 10-15 years before anything went commercial. Marcus Weldon, CTO, and president of Nokia Bell Labs told FierceWireless. Finally, in 2017, the 3rd Generation Partnership Project, the standards body that writes the rules for wireless connectivity, agreed on the first specification for 5G. The Non-Standalone Specification of 5G New Radio standard covers 600 and 700 MHz bands and the 50 GHz millimeter-wave end of the spectrum. But, as followers of the Bach Seat know, a standard doesn’t mean that it will work the same, or what applications it will enable.
The G in this 5G means it’s a generation of wireless technology. PC Magazine says, most wireless generations have technically been defined by their data transmission speeds, each has also been marked by a break in encoding methods, or “air interfaces,” that make it incompatible with the previous generation. The earlier G’s were:
- 1G was analog cellular.
- 2G technologies, such as CDMA, GSM, and TDMA, were launched in 1991 the first generation of digital cellular technologies without much concern for data transmission or the mobile Web.
- 3G technologies, such as EVDO, HSPA, and UMTS, brought speeds from 200kbps to a few megabits per second. It focused on applications in voice telephony, mobile Internet, video calls, and mobile TV.
- 4G technologies, such as WiMAX and LTE, were the next incompatible leap forward, and they are now scaling up to hundreds of megabits and even gigabit-level speeds. 4G was designed to better support IP telephony, video conferencing, and cloud computing, as well as video streaming and online gaming.
The actual 5G radio system, known as 5G-NR, isn’t compatible with 4G. But for the foreseeable future, all US 5G devices will need 4G to set up 5G connections where it’s available. That’s technically known as a “non-standalone,” or NSA, network. Later 5G networks will become “standalone,” or SA, not requiring 4G coverage to work.
Like other cellular networks, 5G networks use a system of cell sites that divide their territory into sectors and send encoded data through radio waves according to PCMag. Each cell site requires a network backbone connection, whether through a wired or wireless backhaul connection. 5G networks use a type of encoding called OFDM.
5G is designed to carry higher speeds by using much larger channels than 4G. While most 4G channels are 20MHz, bonded together into up to 160MHz at a time, 5G channels can be up to 100MHz, with Verizon using as much as 800MHz at a time. That’s a much broader highway, but it also requires larger, clear blocks of airwaves than were available for 4G. PCMag cites Qualcomm (QCOM) claims that 5G will be able to boost capacity by four times over current systems by leveraging wider bandwidths and advanced antenna technologies.
5G primarily runs in two kinds of airwaves: below and above 6GHz. Low-frequency 5G networks, which use existing cellular and Wi-Fi bands, take advantage of more flexible encoding and bigger channel sizes to achieve speeds 25 to 50 percent better than LTE, according to a presentation by T-Mobile (TMUS) exec Karri Kuoppamaki.
Those networks can cover the same distances as existing cellular networks and generally won’t need more cell sites. Rural networks will likely be stuck with low-band 5G, because low-frequency bands have a great range from cell towers.
To get super-high, multi-gigabit speeds, carriers are turning to newer, much higher frequencies, known as millimeter wave (mmWave). In the existing cellular bands, only relatively narrow channels are available because that spectrum is so busy and heavily used. But up at 28GHz and 39GHz, there are big, broad swathes of spectrum available to create big channels for very high speeds.
The 28GHz and 39GHz bands have previously only been used for backhaul. But they haven’t been used for consumer devices before, because the handheld processing power and miniaturized antennas weren’t available. Millimeter wave signals also drop off faster with distance than lower-frequencies, and the massive amount of data they transfer will need more connections to landline internet. So cellular providers will have to use many smaller, lower-power base stations rather than fewer, more powerful macrocells to offer the multi-gigabit speeds that millimeter wave networks promise.
There’s a third set of 5G airwaves being used overseas. These frequencies, ranging from 3.5GHz to 7GHz. These are slightly above current cellular bands but have quantities of the spectrum (speed) that approaches mmWave. The US is falling behind other countries in the mid-band spectrum because over here, it’s being used for satellite communications and the Navy.
Bell Labs’ Weldon, described his idea of a true 5G network for FierceWireless;
… you need a low band that gives you nationwide coverage—higher efficiency on it; a mid-band for high-capacity, relatively locally; and millimeter-wave for super high-capacity, extremely locally, and if you blend all those together, you’ve got a network that really is significant.
Some believe that mmWave 5G will not work. T-Mobile CTO Neville Ray wrote that millimeter-wave won’t be able to deliver on the promise of 5G because it doesn’t travel far. Jeffrey Moore, principal analyst at Wave7 Research told FierceWireless. “…there are definitely some concerns about the economics of 5G.”
rb-
5G is an investment for the next decade. It is unlikely that the next big application will drop in 5G until 2021 or 2022. It is likely that a true 5G iPhone won’t appear until later 2020 and Qualcomm will not release its second-generation Snapdragon X55 5G modem until late 2019. The new chip will support all major spectrum types and bands. Qualcomm claims it is capable of 7Gbps downloads. Until then, the wireless carriers will jockey for customers and mind share.
The providers desperately need 5G to boost smartphone sales. The smartphone market is saturated. Deloitte found (PDF) that 80% of people in developed nations now own a smartphone and wait up to 4 years to replace their device – a significant increase from the 2-year refresh rate in 2011-12.
Related articles
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
Category: Uncategorized |
Tags: 2019, 5G, FCC, FUD, LTE, mmWave, Sliced bread, Small cells, Wireless
Bach Seat is Moving
Pardon my dust while I shake out the cobwebs
from my corner of the web.
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.